IPsec - got ESP going, but not AH

Greg Troxel gdt at ir.bbn.com
Wed Apr 28 09:31:17 PDT 2004 

> Date: Tue, 27 Apr 2004 11:44:22 -0700
> From: "Crist J. Clark" <cristjc at comcast.net>
> To: Greg Troxel <gdt at ir.bbn.com>
> Cc: Dan Langille <dan at langille.org>, freebsd-security at FreeBSD.org
> Subject: Re: IPsec - got ESP going, but not AH
> Message-ID: <20040427184422.GA88369 at blossom.cjclark.org>
> Reply-To: "Crist J. Clark" <cjc at FreeBSD.org>
> References: <40885ECF.22456.1C68F42E at localhost> <rmismeuucl4.fsf at fnord.ir.bbn.com>
> 
> On Fri, Apr 23, 2004 at 08:02:15AM -0400, Greg Troxel wrote:
> > While this should probably work, it's more straightforward to use ESP
> > with integrity protection.  That is, use a -A hmac-sha1 argument also
> > to ESP.  (hmac-md5 is probably still fine, but sha1 goes better
> > strength-wise with rijndael-cbc.)
> > 
> > I believe that in tunnel mode AH and ESP integrity are essentially
> > identical - but read RFC2401 and rfc2401bis (i-d from ipsec wg) if you
> > really want to understand.
> 
> Not true. ESP integrity does not cover the IP header, only the ESP
> payload. Look at the diagrams in section 3.1 of RFC2406.

I was a bit off here.  AH in tunnel mode does authenticate the outer
IP header.  But since this header is removed at tunnel egress, and
presumably checked against the SPD or SAD entry, an ICV over the outer
header fields has little additional value once one checks an ICV over
the packet and determines that the packet came from the other SA
endpoint.

Whether and how carefully KAME-derived implementations check tunnel
headers against SPD/SAD is another story - I have not investigated this.

> > In transport mode, AH protects parts of
> > the original (and only) IP header.
> 
> Not true. AH protects the entire datagram, including payload. Again
> hop down to section 3.1 of RFC2402 for that RFC-ASCII art we all love
> so much.

Sorry - I was being too terse.  I meant that it protects part of the
IP header in addition to the payload (which is also protected by ESP).

Really the point I was trying to make (and did so badly) was that for
many uses, ESP with integrity is perfectly adequate and is simpler
than AH and ESP together.

More information about the freebsd-security mailing list